The UK's House of Lords has just issued a report on Internet security, and it …

Lord Howie of Troon and the Baroness Platt of Writtle might not be the first two names that come to mind when thinking about Internet security, but the peers are part of the UK's House of Lords Science and Technology Committee, which has just released its report on "Personal Internet Security." And it's a corker: the Lords mince no words when they say that "the current emphasis of Government and policy-makers upon end-user responsibility for security bears little relation either to the capabilities of many individuals or to the changing nature of the technology and the risk."

If that sounds like a call for new regulation, it is—in some ways. The Lords recognize that "well-targeted incentives are more likely to yield results in such a dynamic industry than formal regulation," but they do propose a whole host of changes to British law and policy that are worth consideration by many governments.

People are overwhelmed by computer security. Sure, you might not be, but parents, friends, and coworkers are often baffled by firewalls, phishing attacks, and the idea of "botnets." PC security has become a mess, and the Lords suggest that simply expecting the general population to keep up on all these threats is unrealistic. Instead, they hope to shift at least some of the burden to both business and government.

One idea is for the UK to develop a voluntary "kite mark" that software makers and ISPs can use to brand products that meet a set of security standards. Such a mark would give users confidence that the software or hardware in question will at least follow current "best practices" when it comes to security.

More controversially, the report suggests that ISPs be asked to monitor traffic on their networks in order to detect "bad" traffic from viruses and botnets (hello, deep packet inspection). When such traffic is detected, ISPs would be forced to take action against the machines that are transmitting information. If they do not, their "mere conduit" immunity would be removed and they would be liable for damages. This would no doubt prove unpopular with ISPs, but it could end or at least significantly reduce the transmission of e-mailed viruses and would make it much harder for botnets to create DDoS attacks.

Liability is also suggested for hardware and software vendors in cases where it can be shown that the companies were negligent regarding security. If a company issues a firewall that doesn't actually protect machines from incoming attacks, that company could potentially be on the hook for millions of pounds in damages.

Banks, too, would come in for some new liability. According to the committee, "Banks should be held liable for losses incurred as a result of electronic fraud."

See a trend here? Rather than expand government regulation, the Lords are suggesting that the threat of legal action be used to encourage companies to take security more seriously. Banks, hardware and software vendors, and ISPs would all find themselves on the receiving end of more lawsuits, which would up both their own costs and their internal paranoia about not doing anything that could get them sued. That sort of fear might prove healthy, but it might also cause companies not to release potentially-useful products for fear of a legal action.

Still, something has to be done to stem the tide of spyware, viruses, and other assorted malware. The Lords suggest cracking down in some more traditional ways as well: making botnet buying explicitly illegal and providing a simpler way for people to notify the authorities about electronic crime. There's also the call for some government-funded research centers to investigate security and alternative network architectures.

What more should consumers be doing? The committee has a few suggestions. In their view, leaving security up to individuals has almost completely failed, and something new needs to be tried. Is shifting the burden to business the answer?